A security expert says India’s contact-tracing app has flaws; New Delhi says they are ‘by design’

The Indian government has said that its contact-tracing app Aarogya Setu “by design” fetches the location data of its 90 million users and allows them to view the concentration of people who have tested positive for the coronavirus in their vicinity.

New Delhi issued the statement after France-based security researcher Baptiste Robert found what he argues are design flaws and privacy issues.

The government said it has always disclosed that it fetches users’ location data, a feature that critics say falls short of the privacy protections offered by similar technologies, including the joint project run by Apple and Google.

Aarogya Setu’s privacy policy says the app — in addition to collecting location data of a user at the time of registration — also “continuously collects your location data and stores securely on your mobile device a record of all the places you have been at 15-minute intervals.” The app uploads this data to its server along with the user’s digital ID if they test positive for COVID-19, or self-declare seeing symptoms that indicate that they might be infected with the infectious disease, it says.

Collecting location data is a complicated subject, regardless of the good intention of its developers and operators. On Monday, Google and Apple banned the use of location tracking on their coronavirus-tracing technology.

While some developers have argued that they need access to location data to track how outbreaks move and identify hotspots, privacy advocates have cautioned that if this data ever gets exposed, it could ostracize those who are affected.

Robert’s other concern is that Aarogya Setu, which was launched early last month, allows anyone to view the concentration of people in 500 meters to up to 10 kilometers who are either suspicious they have coronavirus, or are certain that they have the disease. He told TechCrunch that he was able to develop a script and view similar data for any nook and cranny of the world’s second most populous nation.

He said the government, which introduced a nationwide lockdown in late March, could have kept the radius limited to 500 meters.

In response, New Delhi said that its system is designed in a way that would prevent any script from making bulk requests. Additionally, it said, “getting data for multiple latitude and longitude this way is no different from asking several people of their location’s COVID-19 statistics.”

“All this information is already public for all locations and hence does not compromise on any personal or sensitive data,” the response said.

Some people argued today that at a crisis like this, when thousands of people are dying, these “flaws” were the least of their concerns and that the app served a much greater purpose. But Aarogya Setu, which has amassed 90 million monthly active people in less than 35 days, has also ruffled some feathers for the way it is being scaled up. New Delhi said earlier this month that all government and private sector employees need to have this app installed on their smartphones.

On Tuesday, local authority in Noida city, home to more than 640,000 people, on the outskirts of Delhi, said those who did not have the Aarogya Setu app installed on their phone would be fined or sent to prison.